CVE-2025-65942: VictoriaMetrics' Snappy Decoder DoS Vulnerability is Causing OOM
(updated )
Affected versions are vulnerable to DoS attacks because the snappy decoder ignored VictoriaMetrics request size limits allowing malformed blocks to trigger excessive memory use. This could lead to OOM errors and service instability. The fix enforces block-size checks based on MaxRequest limits.
References
- github.com/VictoriaMetrics/VictoriaMetrics
- github.com/VictoriaMetrics/VictoriaMetrics/commit/51b44afd34d2c9a392d4ebedeeb5b4a7f5beca24
- github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.110.23
- github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.122.8
- github.com/VictoriaMetrics/VictoriaMetrics/releases/tag/v1.129.1
- github.com/VictoriaMetrics/VictoriaMetrics/security/advisories/GHSA-66jq-2c23-2xh5
- github.com/advisories/GHSA-66jq-2c23-2xh5
- nvd.nist.gov/vuln/detail/CVE-2025-65942
Code Behaviors & Features
Detect and mitigate CVE-2025-65942 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →